CVE-2023-26137

All versions of the package drogonframework/drogon are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values in the addHeader and addCookie functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.
Configurations

Configuration 1 (hide)

cpe:2.3:a:drogon:drogon:*:*:*:*:*:*:*:*

History

13 Jul 2023, 16:28

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
CWE CWE-444
CPE cpe:2.3:a:drogon:drogon:*:*:*:*:*:*:*:*
References (MISC) https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665554 - (MISC) https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665554 - Third Party Advisory
References (MISC) https://gist.github.com/dellalibera/666d67165830ded052a1ede2d2c0b02a - (MISC) https://gist.github.com/dellalibera/666d67165830ded052a1ede2d2c0b02a - Exploit

06 Jul 2023, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-06 05:15

Updated : 2024-02-04 23:37


NVD link : CVE-2023-26137

Mitre link : CVE-2023-26137

CVE.ORG link : CVE-2023-26137


JSON object : View

Products Affected

drogon

  • drogon
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')